Description
In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.
References (1)
Core 1
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5
Scores
CVSS v3
9.6
EPSS
0.0215
EPSS Percentile
79.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Details
CWE
CWE-917
CWE-74
Status
published
Products (2)
sylius/resource-bundle
1.4.0 - 1.4.7Packagist
sylius/syliusresourcebundle
< 1.3.13
Published
Aug 20, 2020
Tracked Since
Feb 18, 2026